• by Ray Schultz , January 31, 2019

Employees may be overdoing it when fighting phishing attacks.

A new study by Agari shows that 50% of the 23,053 phishing incidents reported within companies per year are false positives.

Investigating a phishing incident takes almost six hours, at a cost of $253, and even false positives take four hours, Agari says. But it’s better to be safe than sorry, as 96% of all data breaches begin with an email, Agarai reports. Successful attacks cost companies $7.9 million per incident.

Account takeover (ATO) attacks now make up 20% of all email incidents, the study notes. These are harder to detect than traditional attacks because they seem legitimate to both email filters and end users.

“Credential phishing was already a huge risk for organizations because of the potential for data breach, but now there is a new wave of account takeover attacks leveraging compromised accounts to commit additional fraud, which evade traditional email security controls,” states Crane Hassold, senior director of threat research for Agari.

The study also reveals that one-third of advanced email attacks against C-level executives use display name deception that impersonates an individual.

Microsoft remains the most impersonated brand name. However, attacks impersonating the Internal Revenue Service surged in the fourth quarter -- making up nearly 10% of attacks, compared to less than 1% in the prior quarter.

W-2 scams proliferate around the tax season.

Agari also reports that DMARC adoption is up by 15% from the third quarter.

DMARC use by Fortune 500 companies rose to 54%, compared to 51% three months before.

Agari surveyed over 300 businesses in the U.S. and U.K.